Cybersecurity needs women — and it needs to treat them better

The participation of women in cybersecurity is vital, a non-negotiable proposition. Forget any current handwringing over diversity and equity; it’s fundamental that the contribution of women to the profession has made cybersecurity better.

The proverbial door was kicked open long ago for women, who have made major contributions to the development of information security. But it’s the 21st century and there remain numerous barriers to their entry and advancement.

Frankly, that needs to change — and change now. I am continuously appalled to hear that women are leaving the profession, that the boy’s club mentality is still hedging women out, and that only somewhere between 11% and 24% of cyber pros are women.

The barriers are easily recognizable from years gone by, ranging from blatant misogyny to the more subtle shaping that occurs within the secondary school system and science, technology, engineering, and math (STEM) programs.

We are constantly told about the skills shortage in cybersecurity, and the fact that such a large potential group of candidates is nowhere to be seen is patently ridiculous. Want to bridge the gap? One solution seems obvious.

I spoke with organizations supporting the inclusion of women in cybersecurity, I spoke with CISOs both female and male, and there was universal agreement that solutions exist, but the will to enact them is lacking. We must invest time and energy if we wish to change the status quo.

A wide consensus exists that the pipeline to bring women into the cybersecurity field isn’t starting soon enough. There remains a noticeable gap in how early students, particularly young women, are exposed to cybersecurity as a viable career path.

The shunting of women away from IT starts early

High schools with STEM programs often prioritize biosciences and engineering, with cybersecurity and computer science taking a backseat. This emphasis on more “practical” fields inadvertently steers students away from technology-focused careers.

”To pave the way for the next generation of cybersecurity professionals, we need to incorporate cybersecurity into the education systems before higher education,” says Emily O’Carroll, field CISO at Guidepoint Security. “It will be critical to expose young women to cybersecurity opportunities early, get them interested, and demonstrate that they can work in this highly technical STEM field.”

To address this, intentional outreach is crucial, says Jackie Mattingly, a senior director of consulting at Clearwater focused on small and medium hospitals.

“Programs that introduce cybersecurity concepts in middle school or even earlier can demystify the field and spark interest before students start narrowing their career focus,” Mattingly says. “Partnerships between schools and industry professionals are also crucial — we need to be visible role models, showing students what a career in cybersecurity looks like and why it’s exciting.”

I couldn’t agree more.

I had the distinct pleasure of discussing the topic with Lynn Dohm, executive director of WiCYS (Women in Cybersecurity).  She says it’s important to ensure young women are exposed to cybersecurity at an early age. But she stressed that teaching leadership skills to young women should go hand-in-hand with vocational training.

Companies must offer women the support to succeed

Mentorship and sponsorship can play important roles in capturing the interest of young women and focusing them on a career path, O’Carroll says. “In addition to mentorship and sponsorship, we need to look at how women are supported in the home and with their families to pursue cybersecurity roles and leadership positions.”

That would require companies to consider offering childcare and family care options and expand hybrid and work-from-home flexibility. “Additionally, we need to continue to support and explore non-traditional gender roles in the home where women share the home and family responsibilities more with their spouse,” O’Carroll says.

Another challenge particularly pernicious in cybersecurity is that roles tend to be defined too narrowly, says Donna K. Kidwell, acting CIO at the University of Toronto. “The easy things to define are the technical skills needed for a job,” she says. “That turns into ‘get these competencies and certifications.’”

That’s great, because the job does require technical skills, but it often turns out that bootcamps or competency development courses aren’t sufficient to convince women they have a place in the profession.

“Talented people find ways to contribute and end up in other sectors, or worse, may say to themselves ‘I’m not an IT person,’” Kidwell says. “A focus on the skills of learning, listening, translating, pivoting — those are found in all sorts of sectors and all sorts of people. We can train them on the tools. [We need to] start earlier but end this nonsense of asking, ‘What do you want to be when you grow up?’ and instead, ‘What would you like to contribute to have impact?”

Family shouldn’t be a barrier to entry

There isn’t one of us that didn’t come from a mother. The belief that the biology of life has no place in the workplace is hogwash. Women, should they choose, should have the ability to be mothers without the fear that their career path or opportunities will be withheld.

Appropriate staffing, considerate schedules, and the like can allow mothers (and fathers) to plan the care for their dependents as best suits their situation. It is not extraordinary to seek a work-life balance, yet it is so often elusive, especially in the cybersecurity realm.

“When a cyberattack occurs, in-house cybersecurity roles are similar to being a first responder,” O’Carrol says. “As the CISO, we are often expected to drop everything at a moment’s notice to respond. This can be very disruptive to security leaders’ personal lives, especially as women, when we are often the primary caregivers for our families.”

“Just like they do in hospitals, the police force, or firefighting, companies can better support women in cybersecurity roles by properly staffing teams, developing on-call schedules, and trusting their personnel, policies, and procedures in the event of a cyberattack or incident,” O’Carrol says.

“In addition to mentorship and sponsorship, we need to look at how women are supported in the home and with their families to pursue cybersecurity roles and leadership positions,” she adds. ”Companies should consider childcare and family care options and expand hybrid and work-from-home flexibility.”

Get involved to help correct the situation

Numerous initiatives are available for women in every career stage and every female CISO should have connectivity to one or more groups or associations.

I’ve already mentioned the Women in Cybersecurity (WiCyS) initiative in the United States and its focus on recruiting, retaining, and advancing women in the field through professional development programs, mentorship, and conferences. Similarly, Craig Newmark’s Foundation has invested in programs such as Black Girls Hack, Girls Who Code, and VetsinTech, which focus on training and supporting women and underrepresented groups in cybersecurity.

In Canada, the Women CyberSecurity Society (WCS2) offers flexible training options, scholarships, job placement services, and community support to help women enter and excel in cybersecurity.  Within the European Union, Women4Cyber promotes gender balance in cybersecurity by creating a registry of European women in the field, offering mentorship programs, and organizing conferences.

Mattingly concluded, with a piece of advice that I think is spot-on for CISOs, CIOs, and all who are currently in the world of cybersecurity: “The door is open, but we must do more to help young women walk through it confidently. That means starting earlier, providing the right support, and ensuring they see cybersecurity as an equally promising and rewarding career path.”

I spoke of how important mentoring is for CISO’s in the past for CISO development, especially first-time CISOs and O’Carroll emphasized that “as cybersecurity leaders, we need to get more involved in the non-profits supporting these efforts or prioritize serving in a mentor capacity.”

Help women break the glass ceiling

The door is open. The wherewithal exists, yet it remains difficult for some women to move into the executive ranks. A CISO shared with me how when he pushed forward candidates for promotion to the executive ranks, the resistance was remarkable when it was either a woman or a person of color, and there was no attempt to be discreet.

While this CISO could have gone with the flow, he opted to be salmon-like and push forward despite the insipid countercurrent. He found that to get his high achievers into executive roles he had to make sure that they had every I dotted and every T crossed.

Meaning, if there was a leadership class available, they took it. Technical certificate? Get it! The candidate for promotion not only had to be good enough, they also had to be fully documented as better than good enough to forestall the bias within his HR, CIO, and senior executive ranks. 

The year is 2025. It seems ridiculous we’re still talking about this. Yet it remains the sad reality.

We must remove the misogyny from the equation, we must ensure all are availed the same opportunity for entrance into the field of cybersecurity and advancement. We must not expect women to be more prepared than their male peers.

In addition, we must ensure we aren’t creating an environment in which dreams are drowned and opportunity squelched, or as one senior executive said to me: “It’s not the talent pipeline that’s the problem; it’s the cesspool at the end of the pipeline.”